Certificate of Cloud Auditing Knowledge (CCAK) — Question 227

An auditor is reviewing an organization's virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

Answer options

• A. The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.
• B. Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.
• C. As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.
• D. Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to inappropriate password policy configured on the VMs.

Correct answer: B

Explanation

The correct answer, B, is appropriate because it involves verifying the configuration settings of the CM tool and ensuring its agents are effective, which directly relates to the enforcement of password policies. Option A is inadequate as it neglects the CM tool's role, while C oversimplifies the review process by assuming automation guarantees compliance. Option D focuses on past incidents rather than current policy effectiveness.